The government of Iran has banned the popular messaging app Telegram, claiming it was necessary for national security. Russia wants it banned, and suddenly it seems Telegram’s name is everywhere. Before you rush out and download the app based on that quasi-endorsement, however, read on.

You may or may not remember that three years ago, Telegram put out a bug contest; if you could crack their encryption, you’d win a few hundred thousand in Bitcoin. There was just one problem.

Zuk Avraham from Zimperium Mobile Security managed to find the secret text through a different approach that led to finding the strings in a non-encrypted form.

He started from the premise that hackers do not play by the rules and relied on an exploit for a Linux kernel vulnerability (CVE-2014-3153, also known as TowelRoot) to gain elevated privileges on the affected machine, and thus extracted Telegram’s process memory. By analyzing the dump file, he could easily find the text strings used for the test.

Taking advantage of the root shell access he gained on the machine with TowelRoot, he found among the files of the application an SQL database called “Cache4.db,” which appeared to include tables with encrypted content (“enc_chats” and “enc_tasks_v2”).

Brief examination showed that they indeed included the communication, but it was in plain text and all the messages used during the test could be seen.

For a while, Telegram became the laughingstock of the crypto community. Cryptofails said it “seems to disregard all of the important crypto research from the past two decades,” and Softpedia pointed out that the company didn’t even respond to queries about how bad it failed. Gizmodo didn’t beat around the bush; they simply said stop using it. Now. Motherboard pointed out there’s a reason why you don’t “roll your own” crypto.

Supposedly, since then Telegram has fixed some of those problems, but most experts aren’t convinced. In addition, in February Telegram released a white paper as part of their ICO, and Jason Bloomberg over at Forbes flat out called it a scam. That was actually one of the kinder things being said; Token Economy called it “a bunch of crap.”

EFF is no longer recommending messenger apps, calling the whole industry a “secure mess,” so unless you’re pretty good at either understanding crypto or have the time and inclination to learn how to understand articles like these, you’re going to be operating from an unsafe place, because you can’t/shouldn’t rely on other people’s recommendations, and you can’t verify things for yourself.

In addition, you need to understand that just because one person uses X, and it’s perfect for their situation, doesn’t mean you should use it too. It might be the worst idea ever for you, depending on what you need it for.

It all goes back to (yet another group of) the golden rules:

  • If it’s online, don’t use it for sensitive information.
  • Understand what your sensitive information includes (“Everything!” is not a good answer).
  • Just because you don’t feel like doing the right thing for privacy and security doesn’t mean the people you associate with want you being stupid with THEIR information.
  • Meatspace trumps all.


Bottom line? There’s drinking responsibly while understanding inherent risk and taking steps to mitigate that risk, and then there’s downing 12 shots of Patron tequila after “pre-gaming” with a bottle of Boone’s Farm, 45 minutes before attending your godchild’s christening. Using Telegram is kind of like #2.

Liked it? Take a second to support us on Patreon!
Share this: